Skip to content

Commit

Permalink
src: resolve TODO related to inspector CVEs
Browse files Browse the repository at this point in the history
This was not done before the security release because the latest CVE was
not known at the time.

PR-URL: #45341
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
  • Loading branch information
tniessen authored and danielleadams committed Dec 30, 2022
1 parent ae3119b commit 9c23dab
Showing 1 changed file with 3 additions and 4 deletions.
7 changes: 3 additions & 4 deletions src/inspector_socket.cc
Original file line number Diff line number Diff line change
Expand Up @@ -162,11 +162,10 @@ static std::string TrimPort(const std::string& host) {
}

static bool IsIPAddress(const std::string& host) {
// TODO(tniessen): add CVEs to the following bullet points
// To avoid DNS rebinding attacks, we are aware of the following requirements:
// * the host name must be an IP address,
// * the IP address must be routable, and
// * the IP address must be formatted unambiguously.
// * the host name must be an IP address (CVE-2018-7160, CVE-2022-32212),
// * the IP address must be routable (hackerone.com/reports/1632921), and
// * the IP address must be formatted unambiguously (CVE-2022-43548).

// The logic below assumes that the string is null-terminated, so ensure that
// we did not somehow end up with null characters within the string.
Expand Down

0 comments on commit 9c23dab

Please sign in to comment.